From patchwork Mon Jan 5 08:31:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77987 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBFB7C2A075 for ; Mon, 5 Jan 2026 08:32:08 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.60299.1767601925308575277 for ; Mon, 05 Jan 2026 00:32:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YKM67OCV; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-432777da980so3997798f8f.0 for ; Mon, 05 Jan 2026 00:32:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767601924; x=1768206724; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=HhqKOr6mK3i69viet7ksfVlS0Toltkzm4W05wkVNXVI=; b=YKM67OCV5SSzaAdUXzyHqCIdhP4BhMg+/r03hsz4f1xAllSW2xyDTs8wvB/wJmmHFB r1I0MRQITHH5j3RJ8fpIpkhdGH8b27p1rXPGde47qsKL7RxWEm0qEPQSL2CSfPoiWLD5 rMO7K4srHseGEtfeKUFNZ+CUPsX7qny+N9NtmuaWR+qc8SQN+2Bu1bzCsh63tyJEKEdn nrI5Eg8kAa9fHziN3FWus0Ya5qREYJ6vm08TEoG90IEmA1RWZP7f5N+wR2CWQHE08nGF dC26QN9WC1hMo9Pdc5ZRDnRV3VzNGnf6YfcEUTOFFJ2JEB9psP/hWm+pAHnqytThaEzY 2O7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767601924; x=1768206724; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HhqKOr6mK3i69viet7ksfVlS0Toltkzm4W05wkVNXVI=; b=bZ6OfSt2IqRInnM1eqDyWJB3A1U54QB6gMd4AMW+CefuAG7GDQjrB8wNsRO7YB5pbP Zp4NHPinujtNfJbjn9kuWPd3BVCaFGqveq3VcD2YoNDdXinGY4/+HsenKmXTViGbUIfz KV+Z65eVg6JMSVpHfyBdj25oml8+P5PDp/iVE1fLoH64lP//ZscLmKzYNDp/TDF8WLDV 0SScvrb6ukW86OUv/SZ/0TWYuMJGuL/aLG4oIMxeGMs+5wzNYTHuNsGhO5r5XEp7CfZN k9ArR9JE36C5e9TXoOBhwX1o+ckD3KD7M87ScTqJXy6K5cVNfv0oa4SJJ3WA2UaS6dBk IM9A== X-Gm-Message-State: AOJu0Yw3WTLhqIBm/VpvCcWDzEjl/t+F+Rxog3b97iUuMsv3cxQW2rQW O9fgWWRfl+vPMYgRfngb9Br7FycJs3hI7WSi4HSwQOKf95seS8M83XfkGDrkkA== X-Gm-Gg: AY/fxX44WGEzgFUS9Bq79AYZGRqvI++rObf1xnTJL56/65lvou8Ybp6UMfejCMuiJHe bXCxzferdQvkBhYMuIrYJLKTq92sGme+VxFhPSVJI2/qKRVVN+Ocwia4diMdEsDt6Cn3j7+Q4qr EJzCRZBXy91p47I+Pvr6pDDrDN6pjJM5TqV70h24hGxB2c/G2orqbynZ3zlM5kuxqHS2MTBfTzs CCpfbK35IM+naq0235sI15PegT3cByTFz8z3f5/GPqPGioJcud3tlj2JHlZ6ytttBbTCfAutMdE 9ZkRguGYh7cSIIgVqgVBYtpe1KCvOLywRgaA+lD2dEk04kxFqXGNZb49ylZjAGUq/4+1js1pOWG KIzhYrbTW9jxnDlgMe8xbcUN5opsUao5ynzw1uOkzo8E9Ago/sdzH5hxmz7Y/kc/ShfSIcMUPYC aD6xB4EOXb X-Google-Smtp-Source: AGHT+IGccI8N5lNx9w4GTCM2aii2A+fQKDLgOCWOZYN/3KrevziUwCRLcAbjRfX3PJup+u04ph40ow== X-Received: by 2002:a05:600c:4e8f:b0:479:3a89:121d with SMTP id 5b1f17b1804b1-47d1959c74fmr576412275e9.36.1767601923131; Mon, 05 Jan 2026 00:32:03 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6be53a0csm54867635e9.3.2026.01.05.00.32.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 00:32:02 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 1/5] python-grpcio(-tools): add grpc:grpc to cve product Date: Mon, 5 Jan 2026 09:31:57 +0100 Message-ID: <20260105083201.1225143-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 08:32:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123127 From: Peter Marko These grpc python modules contain parts of grpc core. Each CVE needs to be assessed if the patch applies also to core parts included in each module. Note that so far there was never a CVE specific for python module, only for grpc:grpc and many of those needed to be fixed at leasts in grpcio: sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product; grpc|grpc|21 grpck|grpck|1 linuxfoundation|grpc_swift|9 microsoft|grpconv|1 opentelemetry|configgrpc|1 Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit f993cb2ecb62193bcce8d3d0e06e180a7fef44b8) Signed-off-by: Gyorgy Sarvari --- .../recipes-devtools/python/python3-grpcio-tools_1.45.0.bb | 2 ++ meta-python/recipes-devtools/python/python3-grpcio_1.45.0.bb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.45.0.bb b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.45.0.bb index be851ba990..1f74d25aee 100644 --- a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.45.0.bb +++ b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.45.0.bb @@ -19,3 +19,5 @@ do_compile:prepend() { } BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT += "grpc:grpc" diff --git a/meta-python/recipes-devtools/python/python3-grpcio_1.45.0.bb b/meta-python/recipes-devtools/python/python3-grpcio_1.45.0.bb index 56b84dab72..2671e5c738 100644 --- a/meta-python/recipes-devtools/python/python3-grpcio_1.45.0.bb +++ b/meta-python/recipes-devtools/python/python3-grpcio_1.45.0.bb @@ -47,4 +47,6 @@ CLEANBROKEN = "1" BBCLASSEXTEND = "native nativesdk" +CVE_PRODUCT += "grpc:grpc" + CCACHE_DISABLE = "1" From patchwork Mon Jan 5 08:31:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77986 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CAB36C2A072 for ; Mon, 5 Jan 2026 08:32:08 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.60300.1767601925758046922 for ; Mon, 05 Jan 2026 00:32:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZWWUjUUH; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4775895d69cso58599995e9.0 for ; Mon, 05 Jan 2026 00:32:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767601924; x=1768206724; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=IBG9I42rcrJAE8QgSyyx/Rj8Xs3+mnEdIZBVFbPDyoQ=; b=ZWWUjUUH2qeE9ey3+Q8qENWJCf/Tt/Q5eIwUyHKxR7Sl/maz/aMKCR07hNUgPy0UB6 2VAxk16VnW8VYYK/sglYixpnQxDKlQ0CFMlpdB1mZYojLEWJqyuU7IVggG0qayJQLNTW bXYr1bKdXwsD4YacbXOUAGpog9iyf264y7jo/WJ6KdEumG42rKJwNm6QQmhQCk7Lol9b Gnj7WI3ppHj34cMG1NbgXtn7iiR482BEff/cNEHvtvx4sSDu+tJ3qlLYA830M7aLkrD6 xjrpbf6nhxRj94lz55NabKf48S6ExKUfJc7GmzfLc04b5l+av7fN17ZIDBmCxYSIUwnx QcRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767601924; x=1768206724; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=IBG9I42rcrJAE8QgSyyx/Rj8Xs3+mnEdIZBVFbPDyoQ=; b=WkiUUo3nk/ex31sLYuKhjS/03b+IssGlnokRFUTHqPvhf9NumxBwKsD/++iSg4alZi fJjF6SVC7rpHtiJuhsLmN+Y1+NiF293IDte3LHG6zbx1ySTc9XjNI0RDHr5BfE8/Knd1 8VH5dFVR54oEyF/0ot8xC3Z0uBJxIkdOGazVkTBEaIrExzgJesL+UcNCBnMfsIssB4+Z NW/lvMt6gEyJVYUfnMqfyQJ6ygrvXp5OsPDHIWpCQey2dlTccAez1O86mncDc2HnchzI O69SPziy/XEkEJoh9Uwi+k+QuhF2zyPvytn6gDb8w6JJkfYu3Ds7t+AXNenDj/mIb20+ fsJw== X-Gm-Message-State: AOJu0YxnFbyzKUxnMrNU8Ozg5GssPIFGRrfqZaSDOq3NOgv6tYrOtF8T gNbRnx2AR4N1cqcUXik7sfEEzJ95VCD8BUnjiiR4qNxFz+B6KJYPVs0IcKFV2A== X-Gm-Gg: AY/fxX7n99LHTMvdp3o7BuzBPp1piJaCisc3QaaY21VnI0fl/xzFDPqPjiTxFDyKsxo MF+8Qz64M3U0LAOCbHsuFwwnC02rcp0lreNdXUIC3sG/oFaRLRxiVbU4cGIiWnL+WSihOG3i8+T /uxqyhCPGo6G1z0TnMPUhc4EcvlkC9pOQC6mFecJRF8CR7tBVDv0HwGXROa6kQiVilNeZnTykKo ADdAjKFeWDyjTuzyDTTi3NqpXYxoBcB9P4KGycHMbpGWC1df6XTJl1NHKaj5l++omCACxPUMsiV 8JSu0thXWje2+WW9PBgo5Ruqb8SID6bArFz/Knng2aIaXhFr/J07UmCeTq7tuOz3Cd0IUuIVKPU ftkO/jQxa4PpWARHqBvEUbZgQbH577NiAINffPhsmDZH7h3SR84kgPJWhofdxh6nJXYAQOQAREQ X1lEHY0uqm X-Google-Smtp-Source: AGHT+IFVrSI8qcTObR1oObx1oCSb2jhIqgiNESKEj5GrISV4CBbx8CecjoQTQxfN5FO+eB4BPFpfvA== X-Received: by 2002:a05:600c:45cf:b0:47a:7fdd:2906 with SMTP id 5b1f17b1804b1-47d1954a550mr610798285e9.12.1767601923977; Mon, 05 Jan 2026 00:32:03 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6be53a0csm54867635e9.3.2026.01.05.00.32.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 00:32:03 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 2/5] python3-protobuf: set CVE_PRODUCT Date: Mon, 5 Jan 2026 09:31:58 +0100 Message-ID: <20260105083201.1225143-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105083201.1225143-1-skandigraun@gmail.com> References: <20260105083201.1225143-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 08:32:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123128 From: Peter Marko Similarly to c++ protobuf, add products matching historical entries. Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit ae7556a737f7d21b0e345226fdab4a286d2f85db) Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb index 3c25373796..b3846ddeb3 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb @@ -11,6 +11,8 @@ SRC_URI += "file://CVE-2025-4565.patch" SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f337105f2" +CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python" + # http://errors.yoctoproject.org/Errors/Details/184715/ # Can't find required file: ../src/google/protobuf/descriptor.proto CLEANBROKEN = "1" From patchwork Mon Jan 5 08:31:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77988 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA1B3C2A062 for ; Mon, 5 Jan 2026 08:32:08 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.60301.1767601926372213335 for ; Mon, 05 Jan 2026 00:32:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gayffuHV; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-47d182a8c6cso65033935e9.1 for ; Mon, 05 Jan 2026 00:32:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767601925; x=1768206725; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ui4nDPnzPHmSwIy0qK1sWi7/zL3EApFAQR7LwdAWtaY=; b=gayffuHVMrvs5UyXUDlkvm3iVSRq0jk8SPpKfGmpJe/hhq6utLB/aS/MLx+aIT2DEc Pow1snES4zxhq7CTxGVNYsAEDgUJWMCQMXZQByapJ9bZ2WKc9EvAQijE9L6hDfmHS9XA ADi2szD6quCxUo4X2/FQWqwwkVoChMLvAM9tIe2FzCg2NUiJMQNViO2ZFrb3/gAxDCc8 R2FLl0nIER+Q6UZiECZkmVYstm5CQKjDtu5xYSKm0q8IliEVfBHf0C23+WNiXZ4VuFs1 09WYoJAfAtBHFk/3YDse371QKpixpkKMRViAtt9EUnNw7IvS0/1u9Eh1ZZAc/P7uJNit EXAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767601925; x=1768206725; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Ui4nDPnzPHmSwIy0qK1sWi7/zL3EApFAQR7LwdAWtaY=; b=RuohrOFZvrXrCwXJmX8nRUCQsdpdGSG7y5U2x6HG9jay2/IVmisDjii9fyz0MnijYV Llmv5gUxiTgJDF4olwOY/sAh5OyredjIfCGDcnmr+XHit5DC46JNkhyam8l2fvsFFrMm Uabv6SN/Le31tzpGAPgDstJTbZLmRCvQgh4DHArA7oKlUfAjng1QjrCrgVHe43Q8vPcK zRIGW4XGFXhUX+6hthaxYHMQ5LW8ShlUYT2zByllFHqvY/lF7N1WVOB+B5dKxf4LqmKc 1fR7m/v+iwXdmXbLDqshBbXWlmrAc0lkptfy3escZ6o56XvypbO0GFD+GSgjl989WA6x +guw== X-Gm-Message-State: AOJu0YxtsWvlHC2FgO4zAP4rnzE8RIpqD29udMTUcA7dPUzHoS2RpgdM yPUDn8OqAHVXyc4yW9Tja+dygBrFTsr3AKRkUKiRGidex6orkixu4r2Vb0fa7Q== X-Gm-Gg: AY/fxX4Q9Prrq2gt6LRfSqSDv2wxtVvUU4fRS/Dg2PVRdIZzGQb8uWOu1vNWdDrdHqu fKfXZ3dt1G8relxlrh/SQzM62rEVOQvpwN8gmixQfChuRv9dlc6WdkXlYwMyu8dOTI6FcOy4AHd w45xW4eedNy7Mr1EAGToIh9zI+POj0yWUERB0Dd29vjyazvujTS4Su5VKyeyi5R7SPWr3Nkp1dN 7JiZGZc2TIGzJhmGEHjoFBRjC6Vyx1N/savTzyi7WNNUbQ/uEg+NUPnR/puWFpe/41A56DDvqIk rSkPDFbUUxH+OFUzVpXKp/fjQwJJ3XxcsBPW/VtmQ79pROjjXtlhMw7TDv9SKNLDrnx2KRLP5jA Va8N0QflGV3Jlqvm04EIip0CgFthb8QxGCOPcOieR4/nPtOWcEZpj5FEcAxNXrHDg8JFP0xttb0 b0PWsME/Ap X-Google-Smtp-Source: AGHT+IHiGer0qKHzojfLeV6G0hXk+RMSSfR4OJ6vsJ8Os0Hvi/zWLMQ26ipqRgGJYkvM/IuFB2rn9w== X-Received: by 2002:a05:600c:8b13:b0:477:73e9:dc17 with SMTP id 5b1f17b1804b1-47d2d2a68f3mr501395425e9.35.1767601924600; Mon, 05 Jan 2026 00:32:04 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6be53a0csm54867635e9.3.2026.01.05.00.32.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 00:32:04 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 3/5] python3-cbor2: ignore CVE-2025-64076 Date: Mon, 5 Jan 2026 09:31:59 +0100 Message-ID: <20260105083201.1225143-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105083201.1225143-1-skandigraun@gmail.com> References: <20260105083201.1225143-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 08:32:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123129 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64076 The vunerability was introduced in v5.6.0[1], the recipe version doesn't contain the vulnerable piece of code. [1]: https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb b/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb index 0d0ab6af37..bbdeca7adb 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb +++ b/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb @@ -12,6 +12,9 @@ SRC_URI += " \ file://run-ptest \ " +# not vulnerable yet, vulnerability was introduced in v5.6.0 +CVE_CHECK_IGNORE = "CVE-2025-64076" + RDEPENDS:${PN}-ptest += " \ ${PYTHON_PN}-pytest \ ${PYTHON_PN}-unixadmin \ From patchwork Mon Jan 5 08:32:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77989 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB6CBC2A077 for ; Mon, 5 Jan 2026 08:32:08 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.60168.1767601927283877976 for ; Mon, 05 Jan 2026 00:32:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KaLa8bDW; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-47d3ffa6720so76448105e9.0 for ; Mon, 05 Jan 2026 00:32:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767601926; x=1768206726; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=90CsBO+tzAPsbXOAJkd9YCnof5Z+13VGDVZmBuMO1DY=; b=KaLa8bDWVvUROfr6yI/IyUCaUKKvilR6bTPHFzeQnM234cvF37qov02G0wgMkk33tg cuCHaeBpaLZM5x2Dbg8owq9HZ9R22pTB3Q52XfpWUbMf1Qo5jo043qGsExMzaaFi54HN opi28iHRI/mssfq0svJztcLaKi8klEV25FFijPuY7TPxirh5C6eM0VUqvxgxyPgU4XbU r9ek73bIby5FpYkIUzfs6ge891tvlJaK+G3cyDwZlU//pk1+Kxh50maFFj3xCwZ4Gm3j JI/PksoLmu8P7S1tALs1lPmwrd6tuP8H4fT9MM+AIay7cw8GnUWfInza+nDLOeXXlwfk qqAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767601926; x=1768206726; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=90CsBO+tzAPsbXOAJkd9YCnof5Z+13VGDVZmBuMO1DY=; b=QSdMY2yLYnVOfklwZzvbZFYcwFU7cDAXBhK0T7Cx4cDBfKdYlVrUPzOeDA5WfTIIRE LZgdXlJLBbeUQj30ttP5YDbQBFJpEGpLCmOFigVB4ZaGbJ30/qh5gMmSLZ+NGZ5eeIaa xU8KztdKCzwTkorRQfImY9KTlP08ZhPTfAak+UOH65OkyD19NCguhaqPZx2+myCIosBY +3tCdl7qAMf7SetLpEnDm8gbEVYWNnuxW9SinxkwFH0vr6H5+8KGoXnj6t3oX3+eM+yw h1BBFRYFsvFGYmF9z8fHO2bfGoHUbRWDGBGzoIUDwCvZuSyJ8vQf0MvbPtCGedbo4+9K MnIg== X-Gm-Message-State: AOJu0YyII52k7OdxM6sJKJelSO7nG7Et3wvWQsxDOvXDCKHezWmDZOEN 7asBnSh12xPEX7SB/EPI4jqSjO45Rk8QOMolMmbyiZhyj/FtDjjUkDKroMQTjw== X-Gm-Gg: AY/fxX4SYuZwqcb5Jo3/yzoAxGbn3InsAhFjaUHa1X1/5R1iRpNxSnWDQkCeFkjeL4a 49p7xgXsI4Mqqi3UE+A6Kh3JqxJDgUSyMQnkl2sFAQp0uJr7D9pMiadlzQSe4VEEWy/1tkfV4xT PoHkIcm/Rb/sxDdL9KLX4z/la36AEAOYUKuWLMnsPE1HmJKagd9wnGwc7YnmCANCCQmeSLjn6xk +sGpEGCvemKUek9YCC3cpAoei9+OY+utc45KhSMTjjzZDfrm3nwThKpTQEp8vt8hDIoEtgnG2/9 Z7VEvF3rUBRMOCRDoSXDzmhCApJhkzoerwfLAcFFZetJfuIFaRzmwVNCivFLyEt9I6FVfQpQDE2 omcgykXsbh3Tv/YYIT9oQZDwfckZAye+Kc7a0H/bmEBfnJImxL0ka6Gq8wmQZfPzsjX49JE2vsi KRI667UTt8 X-Google-Smtp-Source: AGHT+IHA6nsjjGqjhel60Zk1NFfoqH//P8ejGVxSFDzvVE7ij+dxlzc+2bPU+XXNT6GnscwepLXkGQ== X-Received: by 2002:a05:600c:c08a:b0:46e:1abc:1811 with SMTP id 5b1f17b1804b1-47d197f67edmr453260885e9.27.1767601925456; Mon, 05 Jan 2026 00:32:05 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6be53a0csm54867635e9.3.2026.01.05.00.32.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 00:32:05 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 4/5] python3-configobj: patch CVE-2023-26112 Date: Mon, 5 Jan 2026 09:32:00 +0100 Message-ID: <20260105083201.1225143-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105083201.1225143-1-skandigraun@gmail.com> References: <20260105083201.1225143-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 08:32:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123130 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 Pick the patch that resolves the issue referenced in the NVD report. Signed-off-by: Gyorgy Sarvari --- .../python3-configobj/CVE-2023-26112.patch | 25 +++++++++++++++++++ .../python/python3-configobj_5.0.6.bb | 3 ++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch diff --git a/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch new file mode 100644 index 0000000000..35d8ea77cf --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch @@ -0,0 +1,25 @@ +From 76dd27ec0dbde6c852f412390ac4e2cfefa8af76 Mon Sep 17 00:00:00 2001 +From: cdcadman +Date: Wed, 17 May 2023 03:57:08 -0700 +Subject: [PATCH] Address CVE-2023-26112 ReDoS + +CVE: CVE-2023-26112 +Upstream-Status: Backport [https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5] +Signed-off-by: Gyorgy Sarvari +--- + validate.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/validate.py b/validate.py +index b7a964c..af76898 100644 +--- a/validate.py ++++ b/validate.py +@@ -542,7 +542,7 @@ class Validator(object): + """ + + # this regex does the initial parsing of the checks +- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL) ++ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL) + + # this regex takes apart keyword arguments + _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL) diff --git a/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb b/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb index 1125a6389d..589ad6f1d9 100644 --- a/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb +++ b/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://configobj.py;md5=a7c3968dd866dfd23e91e125b669ab21" PYPI_PACKAGE = "configobj" SRC_URI[sha256sum] = "a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902" -SRC_URI += "file://0001-Switch-from-using-distutils-to-setuptools.patch" +SRC_URI += "file://0001-Switch-from-using-distutils-to-setuptools.patch \ + file://CVE-2023-26112.patch" inherit pypi setuptools3 From patchwork Mon Jan 5 08:32:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77990 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ECEA2C2A07A for ; Mon, 5 Jan 2026 08:32:08 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.60169.1767601927953039033 for ; Mon, 05 Jan 2026 00:32:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FMIxpB1W; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-4775e891b5eso55708275e9.2 for ; Mon, 05 Jan 2026 00:32:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767601926; x=1768206726; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=l2OUmkxZVu2JOar92QkRCoJQF+UiP+4jFcAeD51UxQ4=; b=FMIxpB1WlWUvmi4eUF0w3m//Pl09sd6y46xP011IK1i68QQGVdFG0hiniJ2HVx1IUs ihO27wFxmtq0ZccvWvrQ/PNHVbulO54rrdhgbJpWXqwcPKPmeK6jQXYDB52Gjczz3DN2 76LAiiwMd3GgxOg7P8IYRtcRo+X6f6U6tZQ1eZmINj3J4ea128/UW+Rtecmg49ouWJNQ uPyT6dpRWsJ1hMrwjnrbvylpc4t+xVjaECnblH6oSFxg62I1XE2vM3Kl00ermfc8k8CL Tfx7oXDRs+x3LEpqocX48mBjxyfNvTf0+NZ4tYgF4tf0OuB+JR8wXq3zZ5HeyCMFeX6q tgiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767601926; x=1768206726; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=l2OUmkxZVu2JOar92QkRCoJQF+UiP+4jFcAeD51UxQ4=; b=Fz/oT9L/SYjUO/i0sMn1rv6+7np9vJnVfB+ShRZupUhOp0iGHPRNJD/vcImGVr7nLo hrt+DSGYc5/GZJMoIy6fJSdrHu7r0mk2bBT1K6P2OOYUFlDWLQORGyUc+zNA0gLYxv+j Vkqzl3QIPwevTDJAbee+/V0eyaIIj6ZWv6nzK8mRvJpgnhFxXAaQQAL65pi6+lGpTtIF beiN0XHxKJnhMWe5GbmFzK55dlzK5H0MhRN0nn3mLmDECcwe8FlS5puvByViw4uVj/Ca wAvtojbueSin484qEQYWQzpcqEAwnk3clQJgxzupdOVDM3rvUiyM7SwGLqzM5SqcClXj 4naw== X-Gm-Message-State: AOJu0YywhEittOKzCc6Qx75KgYmoyFn1q9IblIuptvxWskc8n4e8hJua dqnCc63icKx/lQ/HuE7sPeCghPa/18BO/g3Ol+Se10KJ7yLWPKa25PmEqO8gkg== X-Gm-Gg: AY/fxX5VER4wAzNWFOq/RXJKN9pPIc36rQzz1mhQs9Uec3zSZZCnw3Rw2ioyezWTZlR TyHAxK2V+zSuKzwf2g6rs1NI4drFZJRQ6M3lKgQ2Lax9B3iGLiD+VN6RxhohHskfQe7sHVEQDF+ Q3HrIXaxRMRg0kIK4QI0yY88lFwQzvEW7SiaGT2GfXsrR+FecxiHjqDDMUAHNYZZAttyVsjJYop RCnv17ewdggZEWFjI037s5DEPcNl6ExSfGiOtuuKSg+FVnCoOhoMZHg31OAD3dD3fbHpDU4tOHo 0tiSMzSx3EJa+tUinFbaa0SyRKKyKbI1mzuFvkXCuYo6Lsz1G+weA0Nmg3vQb5UiWGOmaUgIy2+ Ake1BNyAU9NJhd+QwfwZzOLS7eQNi9x7wXfp2fQUYvCUujHuJ1/lh6WqRHgp3NbwpiHZziJ3CR1 AwmC9uMwq/ X-Google-Smtp-Source: AGHT+IF3KTk9tvxBjNdT94vJrZ08NHpJiOWFEjGjWr+rQfxIvG8fkNU4fL6s0iJyQCxZYMxQ8vaUrA== X-Received: by 2002:a05:600c:1f84:b0:477:7c7d:d9b7 with SMTP id 5b1f17b1804b1-47d3884cfdemr492272585e9.33.1767601926157; Mon, 05 Jan 2026 00:32:06 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6be53a0csm54867635e9.3.2026.01.05.00.32.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 00:32:05 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 5/5] python3-flask: patch CVE-2023-30861 Date: Mon, 5 Jan 2026 09:32:01 +0100 Message-ID: <20260105083201.1225143-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105083201.1225143-1-skandigraun@gmail.com> References: <20260105083201.1225143-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 08:32:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123131 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30861 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari --- .../python/python3-flask/CVE-2023-30861.patch | 94 +++++++++++++++++++ .../python/python3-flask_2.1.1.bb | 1 + 2 files changed, 95 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch diff --git a/meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch b/meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch new file mode 100644 index 0000000000..370f17bb7f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch @@ -0,0 +1,94 @@ +From 32cc429640d7307caa2075d15b0634fd886c6381 Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Mon, 1 May 2023 08:01:32 -0700 +Subject: [PATCH] set `Vary: Cookie` header consistently for session + +CVE: CVE-2023-30861 +Upstream-Status: Backport [https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965] +Signed-off-by: Gyorgy Sarvari +--- + src/flask/sessions.py | 10 ++++++---- + tests/test_basic.py | 23 +++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/src/flask/sessions.py b/src/flask/sessions.py +index 4e19270..039e30c 100644 +--- a/src/flask/sessions.py ++++ b/src/flask/sessions.py +@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface): + samesite = self.get_cookie_samesite(app) + httponly = self.get_cookie_httponly(app) + ++ # Add a "Vary: Cookie" header if the session was accessed at all. ++ if session.accessed: ++ response.vary.add("Cookie") ++ + # If the session is modified to be empty, remove the cookie. + # If the session is empty, return without setting the cookie. + if not session: +@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface): + samesite=samesite, + httponly=httponly, + ) ++ response.vary.add("Cookie") + + return + +- # Add a "Vary: Cookie" header if the session was accessed at all. +- if session.accessed: +- response.vary.add("Cookie") +- + if not self.should_set_cookie(app, session): + return + +@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface): + secure=secure, + samesite=samesite, + ) ++ response.vary.add("Cookie") +diff --git a/tests/test_basic.py b/tests/test_basic.py +index 2a177e9..2da7699 100644 +--- a/tests/test_basic.py ++++ b/tests/test_basic.py +@@ -558,6 +558,11 @@ def test_session_vary_cookie(app, client): + def setdefault(): + return flask.session.setdefault("test", "default") + ++ @app.route("/clear") ++ def clear(): ++ flask.session.clear() ++ return "" ++ + @app.route("/vary-cookie-header-set") + def vary_cookie_header_set(): + response = flask.Response() +@@ -590,11 +595,29 @@ def test_session_vary_cookie(app, client): + expect("/get") + expect("/getitem") + expect("/setdefault") ++ expect("/clear") + expect("/vary-cookie-header-set") + expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie") + expect("/no-vary-header", None) + + ++def test_session_refresh_vary(app, client): ++ @app.get("/login") ++ def login(): ++ flask.session["user_id"] = 1 ++ flask.session.permanent = True ++ return "" ++ ++ @app.get("/ignored") ++ def ignored(): ++ return "" ++ ++ rv = client.get("/login") ++ assert rv.headers["Vary"] == "Cookie" ++ rv = client.get("/ignored") ++ assert rv.headers["Vary"] == "Cookie" ++ ++ + def test_flashes(app, req_ctx): + assert not flask.session.modified + flask.flash("Zap") diff --git a/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb b/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb index 24a7047703..edf9f628d2 100644 --- a/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb @@ -6,6 +6,7 @@ HOMEPAGE = "https://github.com/mitsuhiko/flask/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=ffeffa59c90c9c4a033c7574f8f3fb75" +SRC_URI += "file://CVE-2023-30861.patch" SRC_URI[sha256sum] = "a8c9bd3e558ec99646d177a9739c41df1ded0629480b4c8d2975412f3c9519c8" PYPI_PACKAGE = "Flask"